Several organizations including the National Cyber Security Alliance have developed guidelines for individuals to stay safe online, while CompTIA’s Security Trustmark program validates that a business adheres to the industry’s best security practices. However, we couldn’t find good guidelines for an IT security employee education program. So with the help of our own in-house security expert we created our own! The following tips can be integrated into a company’s internal awareness campaigns or used on their own in print, online or during media interviews:
• External storage devices can compromise security by allowing viruses and other malware to bypass network security safeguards. Simply connecting a USB “thumb” drive, SD card or portable hard drive to a desktop computer can infect the entire network from inside the same way a hypodermic needle could easily transmit blood-borne viruses that couldn’t otherwise penetrate the skin.
• Sensitive, confidential data can be sent out inadvertently as part of routine email correspondence. It isn’t difficult to imagine emailing a spreadsheet of names without noticing that one of the tabs contains credit card numbers. An internal company owner of each data class should be appointed to monitor and maintain confidentiality. Staff should be trained to identify, label and protect sensitive data so they don’t inadvertently give away the keys.
• The data contained on IT hardware such as laptops and smart phones can be as valuable as the hardware itself. Staff should be aware of how hardware is commonly lost or stolen (from cars, airport security, hotel rooms, etc.) and be given the tools (such as cable locks) to secure their devices. Further, they should know what is safe to store on the devices and how to use any included encryption software.
• Security can be compromised by staff accessing (or trying to access) sensitive data from an infected machine or over an insecure network connection. Trying to log in to a secure network from a machine that is infected with a key-logger or other spyware can expose a user’s password and other sensitive data to a third party. Using an insecure wireless network to access sensitive data also can pose a security risk. Staff should be trained to avoid using insecure machines or unencrypted networks to access corporate networks or sensitive data.